Hacker News new | past | comments | ask | show | jobs | submit login

That is super lucky. They didn’t break the crypto, they broke the PRNG. Amateur wallet design. Any security programmer with a passing knowledge of NIST entropy requirements 800-90 a/b/c would have never done this.



To be fair, this was not a wallet bug. It was a bug in an unrelated password manager.


Ah good point. Thanks.


Almost all cryptosystems are broken by implementation issues, not attacks on the algorithms themselves. This may be a particularly straightforward attack, but crypto is hard. There's a lot of details you have to get right and a single mistake can destroy all the effort, regardless of how much else you got right.


This happens all the time. If I had a nickel for every system I broke with a time based prng, I’d have like 10 bucks by now.


What's the most random and wildly known way, apart from time based, to pick a seed value then?


Combine the time with some other incremental hard-to-predict inputs.

Start with the time, in the milliseconds (not seconds, i.e. epoch time). Use that seed to create a random number. That random number is now your master_seed.

Once every 10 seconds, measure the temperature of the CPU, and every other temperature sensor in the system, and put that into a new random seed. Create a random number using this seed. XOR it with the mast_seed and store it as the new masted_seed.

Every time someone moves a mouse, use the timestamp and the pixel offset to update the master_seed similarly as above.

Every time a packet comes into the ethernet interface, use the timestamp and a hash of the packet contents, and update the random seed.

XOR the contents of the video buffer.

Track the timing of keyboard clicks.

There are lots of sources of entropy that you can use to make the seed effectively unguessable.


just like anything else with cryptography, please don't roll your own. all major OSes and programming languages provide primitives to generate cryptographically strong random numbers- use that instead.


Yes!

I was hoping to illustrate the the grandparent post where more entropy can come from.


I'm guessing "wildly known" was a typo, but I'll bite onto that type anyway and put forward https://en.wikipedia.org/wiki/Lavarand and Cloudfare's pendulums https://blog.cloudflare.com/harnessing-office-chaos.


Seed? Use a TRNG. Every embedded processor (nearly) has a NIST qualified TRNG. Ring-oscillator for entropy, plus conditioning (whitening), there's your seed. Sometimes amplified thermal noise, but the ROSC is the easiest to manufacture.


From a developers point of view- if you are given an option to provide a seed value, you’re using the wrong api. Libraries exist to provide cryptographically appropriate rngs in every major programming language- use those instead.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: